Your global authentication-default is “requires authentication”. You create a new action method on a controller that should be accessible without authentication and forget to add the [AllowAnonymous] attribute.

Resultingissue: You try your application, can’t enter that new page and fix it. In the worst case you didn’t do your homework and a customer/user finds the bug and complains to you.

Which issue would you rather have to deal with?

I personally prefer the whitelisting approach and err on the side of caution.